Application Authentication Tokens

1. Application Authentication Tokens

In most cases, Users will authenticate using a login Id (email or username) plus a password. Passwords are hashed using a strong cryptographic hash such as BCrypt. The process of hashing is intentionally show by design. In some cases, you might need a way to speed up authentication but still want to ensure your data is secure.

To solve this problem, Passport supports the concept of Authentication Tokens. Authentication Tokens are an Application specific way of authenticating Users. For each Application, you can enable Authentication Tokens and then allow Users to generate (or specify) a token that will be used to authenticate them. These tokens are long sequences of characters and function similarly to API Keys. If you let Passport generate them for you, they will be 30-45 characters in length and generated using a secure random mechanism.

1.1. Enabling Authentication Tokens

To enable Authentication Tokens, open the Passport Backend web interface and navigate to Settings Applications . Edit the Application you want to use Authentication Tokens for and click the Security tab. You’ll see an option like this:

Authentication Tokens

Enable this option and save the change to your Application.

1.2. Generating Authentication Tokens

Once the Authentication Tokens are enabled for a specific Application, you can ask Passport to generate one for a User by creating or updating a User Registration. To accomplish this, you will set the request parameter named generateAuthenticationToken to true in the request JSON like this:

PUT /api/user/registration

Example Request JSON
{
  "generateAuthenticationToken": true,
  "registration": {
    "applicationId": "10000000-0000-0002-0000-000000000001",
    "data": {
      "attributes": {
        "displayName": "Johnny",
        "favoriteSports": [
          "Football",
          "Basketball"
        ]
      },
      "preferredLanguages": [
        "en",
        "fr"
      ]
    },
    "id": "00000000-0000-0002-0000-000000000000",
    "roles": [
      "user",
      "community_helper"
    ],
    "username": "johnny123"
  }
}

This request will result in a response that includes an Authentication Token like this:

Example Response JSON
{
  "registration": {
    "applicationId": "10000000-0000-0002-0000-000000000001",
    "authenticationToken": "52h3h9fsjOn2Eh0+NBT3Kf6NcWFHbJ7oPD0sFsHMQps=",
    "data": {
      "attributes": {
        "displayName": "Johnny",
        "favoriteSports": [
          "Football",
          "Basketball"
        ]
      },
      "preferredLanguages": [
        "en",
        "fr"
      ]
    },
    "id": "00000000-0000-0002-0000-000000000000",
    "insertInstant": 1446064706250,
    "lastLoginInstant": 1456064601291,
    "roles": [
      "user",
      "community_helper"
    ],
    "username": "johnny123",
    "usernameStatus": "ACTIVE"
  }
}

For more information, review the User Registration APIs.

1.3. Authenticating Using a Token

Once a User has been given an Application specific Authentication Token, you can supply it on the Login API as long as you include the Application Id in the request as well. Here is an example request to the Login API:

Example Request JSON
{
  "loginId": "example@inversoft.com",
  "password": "52h3h9fsjOn2Eh0+NBT3Kf6NcWFHbJ7oPD0sFsHMQps=",
  "applicationId": "10000000-0000-0002-0000-000000000001",
  "ipAddress": "192.168.1.42"
}